CVE-2026-2460 is a vulnerability identified in Hitachi Energy's Relion REB500 product, specifically version 8.0.0.0. The flaw arises from improper privilege definitions (CWE-267), where an authenticated user with low-level privileges can exploit the DAC protocol to access and alter directory contents that they should not be authorized to manipulate. The DAC (Distributed Automation Communication) protocol, used for communication and control in energy automation systems, is leveraged here to bypass intended access controls. This vulnerability does not require user interaction but does require the attacker to have valid low-level credentials, which may be obtained through legitimate means or other attack vectors. The CVSS 4.0 vector indicates network attack vector (AV:N), high attack complexity (AC:H), no privileges required beyond low-level (PR:L), no user interaction (UI:N), and high impact on confidentiality and integrity (VC:H, VI:H), with no impact on availability. The vulnerability could allow unauthorized data modification or disclosure within the system, potentially undermining operational integrity and confidentiality of critical energy infrastructure. No public exploits are known at this time, but the vulnerability's nature and affected product suggest a significant risk if weaponized. The lack of available patches at the time of publication necessitates immediate compensating controls to prevent exploitation.

The vulnerability could have severe consequences for organizations operating critical energy infrastructure using the Relion REB500 product. Unauthorized access and modification of directory contents could lead to data tampering, disruption of automation processes, or leakage of sensitive operational data. This compromises the confidentiality and integrity of the system, potentially causing incorrect system behavior or outages. Given the product's role in energy automation, exploitation could impact grid stability and reliability, leading to broader operational and safety risks. Attackers with low-level credentials could escalate their influence within the system, undermining trust in the automation environment. The high CVSS score reflects the potential for significant damage, especially in environments where the Relion REB500 is deployed at scale. The absence of known exploits currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits in the future.

Organizations should immediately audit and restrict user privileges to the minimum necessary, ensuring that low-level users cannot access sensitive directories or functions. Network segmentation should be enforced to limit access to the DAC protocol interfaces only to trusted and authorized devices. Continuous monitoring and logging of DAC protocol traffic should be implemented to detect anomalous access patterns or unauthorized modifications. Since no patches are currently available, organizations should engage with Hitachi Energy for updates and apply any vendor-provided fixes promptly once released. Additionally, implementing multi-factor authentication (MFA) for all users accessing the system can reduce the risk of credential compromise. Regular security assessments and penetration testing focused on access control mechanisms within the Relion REB500 environment are recommended to identify and remediate similar privilege issues. Incident response plans should be updated to include scenarios involving unauthorized access via this vulnerability.